FastLinkIt

Sender domain (SPF/DKIM/DMARC)

Organizationmailingorganization5 min read

Available on Professional and Unlimited org subscriptions; admin role for testing

Verify a domain you own, publish three DNS records, and FastLinkIt ships every mailing from your address with a 2048-bit DKIM signature against your reputation — not the platform's. Receivers (Gmail, Outlook, Yahoo) attribute every open and complaint directly to your domain.

Why this matters: shared sender domains mean shared reputation. If a different platform user gets reported as spam by recipients, your deliverability suffers too. Verifying your own domain isolates your reputation from everyone else's.

Where to set up

/organizationSender Domains card (Owner / Admin role + active Professional or Unlimited org plan).

The card is hidden for users on lower plans or without an org subscription.

The setup flow

Step 1 — add the domain

Click Add a sender domain. Enter:

  • Domain (required) — e.g. news.acme.com. A subdomain is recommended over the apex so the new sender reputation is isolated from your existing mail flow.
  • From address (optional) — e.g. newsletter@news.acme.com. Defaults to mail@{domain}.
  • From name (optional) — e.g. Acme Newsletter. Shows in the From header.

Click Generate keys & show DNS records. FastLinkIt:

  • Generates a 2048-bit RSA key pair
  • Encrypts the private key at rest with IDataProtector
  • Builds the three DNS records you need to publish
  • Transitions the page to edit-mode so you can copy + paste the values

Step 2 — publish DNS records

The edit-mode page shows three cards, one per record:

SPF (TXT at the apex)

Name:  news.acme.com
Type:  TXT
Value: v=spf1 include:flnk.it ~all

DKIM (TXT at a generated selector)

Name:  flnkit-x7q9k._domainkey.news.acme.com
Type:  TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkq...

The selector is a random short token (e.g. flnkit-x7q9k) so you can rotate keys later without DNS conflicts. The public key value can exceed the 255-char DNS TXT cap; the value is pre-split into quoted segments — paste exactly as shown.

DMARC (TXT at _dmarc)

Name:  _dmarc.news.acme.com
Type:  TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@news.acme.com

DMARC is recommended but not required to enable sending — many orgs run without one initially.

Each card has copy-buttons for both the name and the value. Paste each into your DNS provider (Cloudflare, Route 53, GoDaddy, Namecheap, etc.).

Step 3 — verify

Wait a few minutes for DNS to propagate. Click Verify all in the page header. FastLinkIt:

  • Live-queries each record using DnsClient
  • Compares the published value to what was generated
  • Updates each card's status pill: Pending / Verified / Mismatch
  • On mismatch, shows the user-facing error inline plus an expandable "Show what's currently published" diff

When SPF + DKIM both verify, Sending enabled flips on. DMARC is recommended but not enforced — the gate doesn't require it.

What changes when sending is enabled

For every mailing you send afterwards:

  1. From address — overrides to your verified address (e.g. newsletter@news.acme.com) instead of the platform default.
  2. DKIM signingMimeKit signs the outgoing MIME with your private key (rsa-sha256, relaxed canonicalization, signs From / To / Subject / Reply-To / Message-Id / Date headers). Receivers verify against your DNS-published public key.
  3. Reputation — Gmail's tracker, Outlook's complaint feedback loop, etc., all attribute to your domain.

The SMTP delivery provider does the signing inline. Brevo and SendGrid HTTP-API providers don't sign (their APIs don't expose raw MIME) — the From override still applies but the message ships unsigned. The service logs a warning when a verified domain is paired with a non-SMTP provider.

Key rotation

/organization → Sender Domains → click the verified domain → Rotate DKIM keys in the page header.

FastLinkIt:

  1. Generates a new selector + new key pair
  2. Encrypts the new private key
  3. Drops the DKIM Verified flag (back to Pending)
  4. Shows the new DNS record value to publish
  5. Sending stays enabled until you click Save then Verify all again

The old DNS record stays valid until you remove it manually. In-flight messages that signed against the old key continue to verify; new sends use the new key. Once the new record verifies, you can safely remove the old DNS record.

Per-domain throttling (sender side)

FastLinkIt's MailingSenderService paces inbound traffic at each receiver's tolerance:

Receiver domain Default per-minute cap
gmail.com / googlemail.com 100
outlook.com / hotmail.com / live.com / msn.com 60
icloud.com / me.com / mac.com 60
yahoo.com / ymail.com 30
aol.com / proton.me / protonmail.com 30
(other domains) 60

When a per-minute cap is hit, recipients on that domain are deferred to the next 10s sweep. The mailing flips back to Status=queued and the per-domain bucket refills continuously. Override via appsettings.json:

{
  "Mailing": {
    "Throttle": {
      "DefaultPerMinute": 60,
      "PerDomain": { "gmail.com": 150, "yourcompany.com": 0 }
    }
  }
}

Set DefaultPerMinute=0 to disable throttling globally. Set a per-domain cap to 0 to skip throttling for that one domain (useful for self-hosted internal MTAs).

Worked example — newsletter from news.acme.com

  1. Acme buys the Professional org plan at /pricing.
  2. The Owner opens /organizationSender Domains card → Add a sender domain → enters news.acme.com + newsletter@news.acme.com + Acme Newsletter.
  3. FastLinkIt generates the keys + shows the three DNS records.
  4. The Owner pastes them into Cloudflare's DNS panel.
  5. Five minutes later, clicks Verify all → SPF + DKIM both green → Sending enabled flips on.
  6. The next mailing Acme sends ships from newsletter@news.acme.com, signed with their DKIM key, against their reputation.

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.